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According to the quantum de Finetti theorem, if the state of an Af-partite system is invariant 
under permutations of the subsystems then it can be approximated by a state where almost all 
subsystems are identical copies of each other, provided A'' is sufficiently large compared to the 
dimension of the subsystems. The de Finetti theorem has various applications in physics and 
information theory, where it is for instance used to prove the security of quantum cryptographic 
schemes. Here, we extend de Finetti's theorem, showing that the approximation also holds for infinite 
dimensional systems, as long as the state satisfies certain experimentally verifiable conditions. This 
is relevant for applications such as quantum key distribution (QKD), where it is often hard — or 
even impossible — to bound the dimension of the information carriers (which may be corrupted by 
an adversary). In particular, our result can be applied to prove the security of QKD based on weak 
coherent states or Gaussian states against general attacks. 
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I. INTRODUCTION 

Systems studied in physics often consist of a large num- 
ber of identical subsystems. Examples include any type 
of matter with the individual molecules as subsystems, or 
a light field consisting of many modes. Similarly, in the 
context of quantum information processing, one typically 
considers settings involving a large number of identical 
information carriers, such as the photons sent over an 
optical fiber. In all these cases, the state of the overall 
system is described by a density operator on a product 
space n'^^. 

A main difficulty when studying large composite sys- 
tems is that their dimension, and hence the number of 
parameters needed to describe their state, grows expo- 
nentially in the number N of subsystems. This is partic- 
ularly problematic if one wants to prove that a certain 
statement holds for all possible states of the system. In 
the context of quantum information processing, the ne- 
cessity of such proofs arises, for instance, when analyzing 
the security of cryptographic protocols. Here, an adver- 
sary may maliciously manipulate the information carri- 
ers, and security must be guaranteed for any resulting 
state. 

The analysis of large composite quantum systems can 
be vastly simplified under certain symmetry assumptions, 
using a quantum version of de Finetti's classical represen- 
tation theorem 1] proposed recently in 0, Q . The theo- 
rem states that multi-partite density operators which are 
invariant under permutations of the subsystems are ap- 
proximated by convex combinations of density operators 
which have i.i.d. structure cr**^ on most subsystems [36| . 
I.i.d. states can be easily parametrized (they are charac- 
terized by the state cr of a single subsystem), and a huge 
variety of tools are available to handle them, particularly 
in the area of information theory [4| . 

In information-theoretic applications, permutation 



symmetry of the states can often be assumed to hold 
without loss of generality due to inherent symmetries of 
the underlying problem or the processing scheme. An 
important example, which we are going to study in more 
detail, is quantum key distribution ( QKD) [5, 6]. Roughly 
speaking, QKD is the art of establishing a secret key be- 
tween two distant parties, traditionally called Alice and 
Boh, connected only by an insecure quantum channel [37j . 
Most QKD protocols have the property that N signals 
are exchanged sequentially between Alice and Bob, but 
the order in which they are transmitted is irrelevant (as 
long as Alice and Bob coordinate their communication). 
One can thus equivalently assume that Alice and Bob 
reorder the signals according to a randomly chosen per- 
mutation [38| . Consequently, even if an adversary ma- 
nipulates the signals in an arbitrarily malicious way, the 
TV-partite density operator describing Alice and Bob's 
information is permutation invariant. 

The quantum de Finetti theorem now implies that, for 
assessing the security of a QKD protocol, it is sufficient 
to consider the special case where the state held by Alice 
and Bob (after communication over the insecure channel) 
has i.i.d. structure. This, however, exactly corresponds 
to the situation arising in a collective attack 0, Q , where 
the adversary is bound to manipulate each of the trans- 
mitted signals independently and identically. For a large 
class of protocols, security against collective attacks is 
well understood and explicit formulas for the key rate 
are known (see, e.g., ^ for the rate of key distillation 
protocols with one-way communication). 

The reduction of security proofs to the special case of 
collective attacks, however, only works for QKD schemes 
that use low-dimensional signals. This is because the de 
Finetti representation for states on product spaces 7i®^ 
is subject to the constraint that the dimension d of the 
subsystems TL be sufficiently smaller than the number N 
of subsystems. In particular, the de Finetti representa- 
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tion generally fails if Ti is infinite-dimensional. (There 
exist explicit examples of permutation invariant states 
on TC^^ , with dim(7i) = N, such that any reduced 
state p'^ on H'^^, for fc > 2, is highly entangled and, 
hence, cannot be approximated by a convex combination 
of i.i.d. states [loj.) 

Here, we show that the restriction of the de Finetti 
representation to low-dimensional spaces Ti. can be cir- 
cumvented under certain experimentally verifiable condi- 
tions. More precisely, we prove that for any permutation 
invariant state on a (possibly infinite-dimensional) sys- 
tem 7^®^, the reduced state on H®^', for some N' « N, 
is approximated by a mixture of density operators with 
i.i.d. structure, provided that the outcomes of a mea- 
surement applied to a few subsystems lie within a given 
range. As a specific example, we consider measurements 
with respect to two canonical observables X and Y on 
H = L^(K). The criterion then is that the outcomes of 
both the X and the Y measurements have small absolute 
value. 

In practical applications, this criterion is often easily 
verifiable. For example, in continuous variab le q uantum 
cryptography 0, E H Q [ll [11, [13, [11, [ll, which 
uses signals in Ti = L^(K), measurements with respect 
to two canonical observables X and Y are usually al- 
ready part of the protocol. Our extended version of de 
Finetti's theorem then implies that these protocols are 
secure against the most general attacks, provided they 
are secure against collective attacks. The latter type of 
security is already proved for many practical continuous 
variable schemes (see, e.g., [20[, which is based on [2lj . 
and HI). 

The remainder of this paper is organized as follows. Af- 
ter introducing some notation and terminology, we start 
in Section mil with the proof of the technical lemmas and 
theorems. These are the building blocks for the deriva- 
tion of our main claim that permutation invariant states 
are approximated by almost i.i.d. states, as described in 
Section IIV Al (For a first reading, one may skip Sec- 
tion mil and directly start with Section IIV Al where it is 
shown how the individual technical claims are combined.) 
Finally, we discuss how our result can be applied to prove 
the security of QKD schemes (Section llVBl) . 



We denote by S{H) the set of density operators on the 
Hilbert space H. An operator p" £ 5(W*") is said to 
be permutation invariant if irp'^'K^ — p" for all permuta- 
tions TT. 



B. Restricted symmetric subspaces 

Let be a subspace of Ti, and let k^n E N. We de- 
fine as the projector onto the subspace of 11®^+"- 
spanned by all vectors in tt{'H^'' (?) TY*^"), for any tt e 
Sk+n- The projector can be decomposed into pro- 
jectors Pq = P-fi and Pi = P-fi± onto and its orthogonal 
subspace Ti.^, respectively, 

E (2) 

bG{0,l}'=+" 

where the sum ranges over all bitstrings b = 
(&i, . . . , bk+n) <= {0, 1}'^+" whose relative frequency of Is, 

/b^^^E^- (3) 

fc 

is not larger than t-t— ■ 

^ k+n 

Because f!^^" is permutation invariant it commutes 
with any tt S Sk+n and, hence, also with the projec- 
tor -Psym'=+"(-H) onto the symmetric subspace of 7Y'^*''+" 

(see ([J)). This implies that the product -P-^^"-Psym''+"CH) 
is a projector. In the following, we denote by 
Sym''+"(H,7Y^") the support of this projector. The 
space Sym'^^"(7i, 7Y^") thus consists of all symmetric 
vectors that can be written as superpositions of vec- 
tors of the form 7r($ (g) $), for some $ e Sym'=(H), 
$ e Sym"(7i), and tt G Sk+n-_ 

In the special case where TL = span{z/} is the vector 
space spanned by a single vector v £ Ti., we also write 
Sym''+"(7i:,;^®") instead of Sym'=+"(H, span{i/}®") and 
call its elements C^^") -z.i.rf. vectors (along v). We also 
say that a density operator p'^+" is almost i.i.d. if its 
support is contained in Sym'^^"(7Y, j/®"), for some k <ti 
n. 



II. NOTATION AND DEFINITIONS 
A. Symmetry and permutation invariance 

Let Sn be the set of permutations on {1, . . . , n} and let 
be a Hilbert space. The symmetric subspace ofH'^", 
denoted Sym"(7Y), consists of all vectors $ £ H®" such 
that 7r$ = $ for aU n e Sn- The projector on Sym"(7Y) 
can be written as 

^Sym"(H) = ^ E ^ • 



C. Measurements 

Let U and V be nonnegative operators on a Hilbert 
space Ti, satisfying U < 1 and V < 1. We define the 
function ju-*v on [0, 1] by 

-fu^v{5) := sup{tr(Fcr) : a e 5(H); tr{Ua) < 6} . (4) 

If U and V are POVM elements then 7c/^y(5) corre- 
sponds to the maximum probability of obtaining outcome 
V when measuring a state a for which the probability of 
outcome U is at most S. 



3 



III. TECHNICAL STATEMENTS 

A. Measurement statistics 

Let U — {Ui),Ui} and V = {VqjVl} be two binary 
POVMs on Ti. with the property that "fUi^Vi (^) is small 
for small 5. In other words, for any state u, outcome 1 
of measurement V has small probability whenever out- 
come 1 of measurement lA has small probability. Intu- 
itively, we would then expect that the following holds. 
If k subsystems of a {k + n)-partite permutation invari- 
ant state are measured according to lA, resulting in a low 
number of outcomes 1, then the number of outcomes 1 
when measuring the n remaining subsystems according 
to V is small, too. The following lemma makes this intu- 
ition more precise. 

Lemma III.l. Let U = {Uq.Ui} and V ^ {Vq.Vi} he 
POVMs on H, let n > 2k, and let {Xi, . . . , Xk+n) be 
the (k + n) -partite classical outcome of the measurement 
l^0k y»n Qppij^Qfi Iq permutation invariant p'^^" G 

Pr[/x.+,...x.+„ > 7u,^vdfx,-x, +S) + S]< Skh-'^'" 

where /x denotes the relative frequency of Is in X 
(see 

Qualitatively, the statement of Lemma llll.ll is a special 
case of Lemma 4.1 of [HI. For completeness, we give a 
proof in the appendix, which also yields tighter bounds 
for the choice of parameters we are interested in. 



B. Bounding the probability of projecting into a 
low-dimensional subspace 

In this section, we derive a bound on the quantity 
lUi^Vi for the case where Vi corresponds to the pred- 
icate that a measurement of X^ + Y^, for two canonical 
observables X and Y on H = L^(M), is larger than a 
threshold no , and where C/i is the predicate that the out- 
come of a measurement with respect to either X^ or Y^ 
is at least 

For any Hermitian operator Z and zq G we define 
pZ>zo |-jjg projector onto the subspace spanned by the 
eigenspaces of Z corresponding to (generalized) eigenval- 
ues Z > Zq. 

Lemma III. 2. Let X and Y be two canonical operators 
([X, Y] = i), hq a positive integer, and define 

U, lpX'>no/2 lpY->n„/2 y pX^+Y->n, + l 

2 2 

Then lu.^vAS) < 45 ^;^e-"»-o, with co = 1 - ^. 

Proof. The proof consists of several steps. First, we de- 
fine an operator Wi and show that Vi < 2W\. Then we 



show that, up to a constant, Wx is upper bounded by 
2[/i. 

Let us start by defining 

Wi -.^ ^ J d^ia \a){a\ 

where |a) denotes a coherent state and the integral is ex- 
tended to the complex plane with |ap > rig. By expand- 
ing Wi in the Fock basis, {|n-)/}^0' ^'^^ obtains that 
Wi = Y.1n\n)f{n\ with g„ = r(n + 1, no)/r(n + 1, 0), 
where F is the incomplete Gamma function [24| . Since 
<Zri+i > qn > 0, we can write Vi < q~^Wi, where 
q^^ = r(no -I- l,0)/r(no -|- l,no) < 2, which concludes 
the first part. 

For the second part, we first extend our Hilbert space 
to Til ® ^2, and show that we can write 

1^1 = y dxdy f{0\U{\x)x{x\ ® \y)Y{y\)U^O)f, (5) 

where the integral is defined for a;, y G K with the restric- 
tion a;^-|-y^ > uq. Here |0)/ G H2, and \x)x.y denote gen- 
eralized eigenstates of X and Y, respectively. Further- 
more, U = ef('*i'^'^2-'^i'8'«2) jg fj^Q so-called beam splitter 
operator [2^, where ai^2 := (-^^1,2 + 1^1,2) /V^ are the 
annihilation operators acting on the first and second sys- 
tem, respectively. This expression for Wi can be derived 
by showing that \f^J :=/ {0\U\x)x «) \y)Y = Tr-^/^la), 
with a ~ x + iy. This, in turn, can be proved by realizing 
that it is an eigenstate of the annihilation operator, 

ai\fx,y) (0|(ai 4- al)U\x)x \y)Y 
= f{0\U{Xi + iY2)\x)x ® \y)Y ^ix + iy)\f..,y), 

where we have used the fact that /(0|a2 — and that 
U^{ai + a\)U = Xi + iY2. The normalization factor can 
be obtained by noting that the integral over the com- 
plex plane of |q;)(q;| = ttI. By looking at the integration 
domain in ([5]) it is clear that Wi < A + B, where 

A = J dxdx' f{0\Ui\x)x{x\®\x')x{x'\)U'^\0)f, 
B = J dxdx' f{0\U{\x')Y{x'\<»\x)Y{x\)U^\0)f, 

where the integral is restricted to \x\'^ > no/2 and —00 < 
X < 00, and we have used that the integral of \x')x{x'\ 
is equal to that of \x')y{x'\. Using U\x)x ® \x')x = 

\ix + x')/V2)x(^\{x-x')/V2)x, |/(0|x)xP=e--VV^, 
and changing variables in the integrals {[z' = {x+x')/^/2, 
z = \/2x] we obtain 

f dz e-(^-^)' Fix). 

V"" J\z\'^>no 

Analogously, B = F{Y). It is straightforward to 
show that for aU a > 0, F{X) < p^'>«' + 
F(a), and similarly for F{Y). Noting that F{a) < 
(l/V7r)e"(^~")V(\Aio-a), for a G [0,y/E^, and choos- 
ing a — •\/no/2 we conclude the proof. □ 
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Lemma IIII.3I below is a corollary of Lemma IIILII and 
Lemma IIIL2I It allows to restrict the support of a 
{2k + n)-partite permutation invariant density operator, 
provided that measurements of the two canonical opera- 
tors X and Y on k subsystems only result in small values. 

Lemma III. 3. Let X and Y be two canonical operators 
on n, let n > 2k, let U he the support o/P^'+^'-"«,, for 
any hq > 12 In -^^^p^, and let p^fe+n ^ permutation in- 
variant density operator on T^'^^fc+n^ ^^^^ ^ ^ ^ ^^-^ 
the outcomes of measurements of k subsystems of p^fc+n 
with respect to X and Y (each chosen with probability ^) 
and let T be the event that the projection -P^^" applied 
to the remaining k + n subsystems fails. Then 



PrffmaxZ, 



^<^)A^]< 



;2g 49(fc + n)-' 



Proof. Let Ui and Vi be defined as in Lemma IIIL2I 
Furthermore, let Xi, . . . ,Xk+n be the outcomes of the 
POVM ® V®" defined by U = {1 - Ui,Ui} and 
V = {1 — Fi, T^}, as in Lemma fllL II The probability we 
want to bound can then be rewritten as 



Pr[(m|xZf <^)a:F]^ Pr[(/x. - 0) A (/x- > ^)] 



where f^^ and /x" are the frequencies of Is in the tu- 
pies X*^' = {Xi,...,Xk) and X" = (Xk+i, . . . , Xk+n), 



respectively. With 6 := 



7{k+n) 



we have 



k-\-n 



and, hence, the probability above can be bounded by 

Pr[(/x. -0)A(/x.>>^)] 
< Pr[(/x. = 0) A (/x- > lu.^v, (/x^- + S)] 
<Pr[fx^ > ju^-.v,{fx>' + S) + 5] . 

The claim then follows from Lemma IlIL II 



□ 



Remark III. 4. It is straightforward to generalize 
Lemma \lII. 3\ to other measurements, specified by an arbi- 
trary POVM M = {Mz}zez- The condition max^ Zf < 
^ may then be replaced by the requirement that the out- 
comes Zi are contained in a certain set Z C Z such that 
for any 6 > 

lu.^P^iS) < 0{S) , 

where Ui := J2z4z '^'^^ where denotes the projec- 
tion onto the subspace orthogonal to a finite- dimensional 
subspace Ti, which may be chosen depending on S. For 
the considerations below fSection llV A\) . however, the di- 
mension d of Ti needs to be bounded by d < 0{S~^), so 
thatd<Oi{^)i). 



C. Purification in restricted symmetric subspaces 

The de Finctti type statements formulated in Sec- 
tion IIIIDI below apply to states on the symmetric sub- 
space. The following lemma, which is a generalization of 
Lemma 4.2.2 of [3 (see also [3), allows to extend these 
statements to general permutation invariant density op- 
erators. 

Lemma III. 5. Let Ti, be a subspace ofH and let p^fe+n ^ 
g^^2k+n\^ fee permutation invariant with support con- 
tained in the support of Plf^JiJl^ . Then there exists a 
purification of p2k+n on Sym2'=+"(7i: ®n,{ii.®'H)®'^). 

Proof. Let {ejjjgj be an orthonormal basis of such 
that {ej}j^K, for some if C J, is a basis of H. We can 
then define a vector $ G (g) by 



1 (gi2fe+n- 



$ = ^ (p2A;+« ^ ^ ^, 

where, for any j = (ji, . . .,j2k+n) & -Z^'"'^'' 



(6) 



e\ — Cj 



^32k + n ■ 



The state defined by <i> is obviously a purification of 
p2k+n ^ Furthermore, because p^^^"^ is permutation in- 
variant, we have for any tt € S2k+n 



(tt ® 7r)$ = (tt (g) tt) ^ (g) 1 



®2k+n\ 

n ) 



and, hence, <i> G Sym +"(7Y ®T-i). It thus remains to 
verify that $ is an element of the support of 

Since p^fc+n jg contained in the support of P?a"t+„7 the 
sum in ^ can be restricted to terms such that ej lies in 
the support of P^J'Jl^ , too (or, equivalently, the tuple j 
has at most k entries outside J). This implies that $ lies 
in the support of P^^^^t"™ <8 ^fl»t+„ • The assertion then 
follows because this support is contained in the support 
of p2*;+"i □ 



D. An extended de Finetti-type theorem 

The purpose of this section is to derive a de Finetti- 
type theorem for states on the symmetric subspace 
of product spaces with possibly infinite- dimensional 
subsystems (Theorem IIII.7p . We start, however, 
with a de Finetti-type statement for finite dimensions 
fLemma llIL6)) . It can be seen as a strengthened version 
of the exponential de Finetti theorem proposed in j^. 
The claim is that any {2k -\- n)-partite symmetric vector 
$ is approximated by a superposition of vectors that are 
(''^")-i.i.d. on fc -|- n subsystems. We note that, in con- 
trast, the approximation in has the form of a convex 
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combination of (''^") -i.i.d. states. A second difference 
between Lemma [111.61 and the result of Q is that we use 
the overlap (i.e., the scalar product between vectors) in- 
stead of the trace distance to quantify the quality of the 
approximation (this slightly simplifies the argument be- 
low). 

Lemma III. 6. Let Ti. be a d-dimensional Hilbert space 
and let k,n &N. There exists an isometry U from Ti®*' 
to a Hilbert space Ti.' with orthonormal basis {/iy}i/gV; 
where V is a finite set of unit vectors v Cz Ti., such that 
the following holds. For any unit vector <^ g Sym^''+" (H) 
there exists a unit vector^ G 7i'(g)Sym'^~''"(7i) of the form 



with e Sym'^+'XH, i^®") such that 



{^\{U(g> 1'^ 



k+n- 



$) > 1 - k'^e 2'=+ 



k(k + l) 



(7) 



(8) 



Note that ([5]) can be rewritten in terms of the fidelity 
F(-,-) as 

F($, {U 1^*=+")$) > 1 - fcV^^ . 

The de Finetti theorem of (Theorem 4.3.2) can then 
be obtained by taking the partial trace over Ti' in both 
arguments of F{-,-) and converting the fidelity into a 
trace distance. 

Proof. The unitary group acts irreducibly on the sub- 
space Sym'^iTi). Hence, by Schur's lemma. 



In particular, U can be made arbitrarily close to the isom- 
etry 

U := U{U^U)-^ 

on Sym''(7i), i.e., for any /i' > there exists a finite set 
V such that 

\\u -u\\ < ^l' . 

It thus remains to be shown that inequality ^ holds for 
U (because it then also holds for the isometry U, provided 
fi' is sufficiently small). 

By the definition of U, the vector {U (g) 1'^''+")$ can 
be written as 

where 



:= ^dim(Sym*(W))((i.|«'= (g> !,.+„)$ G Ti 

We now define the vector $ by choosing each $y of 
the sum ([7]) as the projection of onto the subspace 
Sym'=+"(H,J/®"), 

Note that the length of the resulting vector $ is gen- 
erally smaller than 1. However, the statement for unit 
vectors can be obtained by normalizing $ (because the 
normalization can only increase the overlap). 

Condition ^ (with U replaced by U) can now be 
rewritten as 



where vq is an arbitrary unit vector in Ti and where lu is 
the Haar measure on the set of unitaries on Ti. Note that 
the integral on the left hand side can be approximated to 
any accuracy by a sum over a finite set V of unit vectors 
ly E Ti. That is, for any ^ > there exists a finite set V 
such that 



1 p 

dim(Sym'=(H)) Sym^CH) 



< 



Let Ti' a Hilbert space with orthonormal basis {fu}i^ev 
and define the linear map U from Ti'^'' to Ti' by 



J/GV 



We then have 



dim(Sym''CH)) 
|V| 



El 



and, consequently, 



p. 



Sym'' (-H) I 



< 



or, equivalently, as 



_ fc(fc + l) 

e 2k + rr 



(9) 



(10) 



because j^y Y^i^evi'^'^l^'^) any ^ > 0. 

A straightforward calculation (cf. Eq. (4.12) of Q 
or the supplementary material of [2] for a similar but 
more detailed argument) shows that, for any vector 5* G 



/2k+n\ 
\ k+1 ) 



/k + n—l\'^ k(k+i) 
< < e 2k+^ . 

~ V 2k + n J 

Applying this bound to the individual terms in the 
sum ([TOl) gives 



i'l-^Sym''+"CH,t'»") 



1$^) < dim(Sym'=(H))e-^^ 

, fc(fc+i) 
< k e 2fc+„ , 



This implies ^TU\i and thus concludes the proof. 



□ 
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Based on Lemma IIIL6[ we now derive a de Finetti- 
type theorem that appHes to states on the symmet- 

ric subspace Sym'^'=+"(H, H®3fe+«)^ ^j^ei-e 7^ is a finite- 
dimensional subspace of a possibly infinite-dimensional 
Hilbert space H. The claim is that, when tracing out 
the first 2k subsystems, the resulting state p^fe+n _ 
ti'2fe(p^'^'''") is close to a convex combination of (^'',^")- 
i.i.d. states /5^'^+". Here, closeness is measured in terms 
of the fidelity F{-,-). 

Theorem III. 7. LetTi. be a d- dimensional subspace of a 
Hilbert space 7i, let n, fc € N, and let be a density 

operator on Sym^''+"(H, 7^®^'=+"). Then there exists a 
probability distribution Pi, on a finite set V of unit vectors 
f G Ti and a family {pf!'~^"}i/^v of density operators on 
Sym2'=+"(H,i/®") such that 



f{p''^-,J2p.pI' 



2k+n\ 



> 1 



k'^e— 



(11) 



Proof. It suffices to prove the claim for pure; the 

statement for general density operators follows by the 
joint concavity of the fidelity (see, e.g.. Chapter 9 of [11). 
Let thus ^ G Sym*''^+"(H,7i®3fc+n-)^ j,^^ y^g^ jg ^^.^^^ 

as a superposition of vectors \E'jj/ which have at least 
2k + n subsystems contained in H (see (ITSI) and (fTB|) 
below) so that we can apply Lemma fllLBI to each of them 
individually. 

Consider the decomposition of P^^Jl„ according 
to i.e.. 



be{o,i}^''+'^ 



Ph 



(12) 



where J^'^ only consists of tuples j € Jq'^ with exactly k 
indices r such that jr = 0. 

By definition, Sym'^'=+"(H, 7Y^3'''+") is contained in 
the support of P!^^'tt+n i which is itself contained in the 
support of P^^fc (8) P^^Jlr^- Hence, any vector S 
Sym'^''"+" (H,7i®^''+") can be written as a superposition 



where, for any j G J^*^, 



*j = (<3j ® l^^'=+")«' = E *j 



(15) 



(16) 



with ^'jj' = Qj Qi'^ ■ In particular, because of the 
orthogonality of the projectors Qj, we can write as 
a convex combination 

p'^+- = tr2umm)= E tr2.(|vi'j)(vi'ji) 

= E ^'^/^r- 

with probabilities pj = tr(|^'j)('I'j|) and density operators 

pf+"=tr2,(|^j)(^j|), 

where is a unit vector parallel to Because of the 
joint concavity of the fidelity, it is thus sufficient to show 
that ([TT]) holds for aU density operators pl''^". 

Let thus j e 3^" be fixed and let, for any j' g Jfc+ti"' 
VPjj' be a normalization of We then have 



with Pq = Pf^ and Pi = P-fi±. Furthermore, let {ej}j,= j 
be a common eigenbasis of the projectors P-f^ and P-fi± , 
let Jo := J U {0} (assuming that ^ J), and define the 
projectors Qj, for j e Jq, by 



Q, 



|ej)(ej| ifjeJ. 



Then, starting from lfT2|) . it is easy to construct a decom- 
position of P^^t+n into mutually orthogonal projectors 
Qy = Q^., (g, . . . (g, Q^.,^^^ , for j' = (j; , . . . , j^fe+„), 



p2fe+n _ n 



(13) 



where J^+^" is a subset of Jq''^" containing only tuples 
j' with exactly k + n indices r such that j'^ = 0. Similarly, 
we can decompose P^^t in projectors Qj — Qj^ g) • • • (g) 
Qj2k^ for j = (ji, . . . , j2fe), 

Pr». = E Qji ® ■ • • ® Qj2fc , (14) 



where ajj' are coefficients satisfying J2y lo^jJ'P = 1- 
We now apply Lemma IIII.6I to each of the vectors 
^'jj/ in the sum individually. For this, assume with- 
out loss of generality that j = (ji, . . . , jfc, 0, . . . , 0) 
and j' = (0, ■••,0,jX+„+i,--- ,i2/c+«) with 
ji,---Jk,j'k+n+i:---^f2k+n ^ J (t^is form can al- 
ways be obtained by an appropriate reordering of the 
subsystems). The vector ^yy can then be written as 



I 60' 

■Ik + n + l 



' ew' 

■'2k + n 



where ^yy e Sym^'''+"(7i). According to Lemma HIlHI 
there exists a vector ^yy of the form 



h] E -f- ® ^ ^' ^ Sym'=+"(7i) 



with <^>yy.^ e Sym''+"(7i:,;/®") such that 

($j,y|(C/(g) l®'=+")$jj.) > 1 - k'^e-^&^ , 
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where U is some fixed isometry (independent of j'). With 
the definition 

this immediately implies 

{^yy\{\®^ ®U ®\®'^^"''')^yy) > 1 - fe'^g-^W^ . 

Consider now the vector 

Since, for any two distinct G ^"^^^X ^ '^'^ projectors 
Qy and Qy are mutually orthogonal by definition, we 
have 

{^yy\{\®^ ® C/® l®2fc+n)^. 

= (*jJ'l(l'''®t^®Qj'Qj")*jJ") = 0. 
Combining this with the above, we find 

= E l"J.J'P(^jJ'l(l^' ®V® 
j' 

> 1 - fc^e . 

This inequality can be rewritten in terms of the fidelity, 
which is simply the absolute value of the scalar product. 
Together with the fact that tracing out subsystems can 
only increase the fidelity, we obtain 

i^(tr2fc(|*j>(*j|),tr«,,fe(|#j)(#j|)) >l-fc'*e-^ . 

Furthermore, because the density operator tr2fc(|\I'j)(^j|) 
is contained in the symmetric subspace Sym^*^^" (7i ) , we 
can insert a projection onto this subspace without chang- 
ing the fidelity, i.e., 

F(tr2fc(|*j)(*j|),pf+") > l-fc-^e-^ , 

where 

Pf+" :=Psy„,2.+„(„)trfc,„.(|*j)(*j|)Psy^2.+„(„) . 

It remains to verify that the density operator p?*^^" is 
of the desired form 

pf+"^^p,pf/" (17) 

for some appropriately chosen probabilities and for 
contained in the subspace Sym2'=+"(H, i^®"). For 
this, we define 

n TD ID 



where denotes the projector onto the vector 

Identity (fT7|) then follows from the orthogonality of the 
vectors f^. Furthermore, by the definition of and 
using the fact that the vectors ^yy,i^, for any fixed i/ 
and arbitrary j', are contained in the support of P^gL", 
one can readily verify that the vector "^y^ is contained 
in the support of P^^t" ■ Consequently, /5?^+" lies in the 
subspace Sym2'=+"(7^,i/»"). □ 

E. Properties of almost i.i.d. states 

Theorem IIII.7I gives an approximation of permutation 
invariant states in terms of almost i.i.d. states pi,. The 
significance of this approximation comes from the fact 
that such states are relatively easy to handle. In partic- 
ular, their properties very much resemble the properties 
of (perfect) i.i.d. states [1, [1]. For example, the entropy 
of an almost i.i.d. state pi, is well approximated by the 
entropy of the corresponding perfect i.i.d. state . 

Of particular interest for information-theoretic appli- 
cations is the smooth min-entropy ^,^2^. Let pxB be a 
density operator on Tlx T^b which is classical on Tlx , 
i.e., 

PXB = E P^\^^)(^^ \ *^ Pb > 
xex 

for some orthonormal basis {ex} xex of Tix, probabil- 
ities Px, and density operators pg on Hb- Then, for 
any £ > 0, the e-smooth entropy of X given B, denoted 
H^-^^{X\B)p, corresponds to the amount of uniform ran- 
domness (relative to B) that can be extracted from X 
by two-universal hashing [131 . (The smoothness param- 
eter e quantifies the quality of the resulting randomness 
in terms of their distance to a random variable which is 
perfectly uniform and independent of B). 

For an i.i.d. state p%%, the smooth min-entropy i?min 
is asymptotically (for large N) equal to the von Neumann 
entropy S, i.e., 

li7f„,„(X^|B^),«« « ^(SipTB) - ^(pD) 

= S{pxb) - SipB) - S{X\B) . 

The following theorem from [3| extends (one direction 
of) this relation to almost i.i.d. states. 

Theorem III. 8. Let px^+^gk+n be a density operator 
on {Tix ® Hb)'^^'^"' which is classical on the subsys- 
tems TLx and let s > 0. If there exists a purification of 
Pxk+^B>'+^ m Sym'=+"(Hx ® Hi3 ®Hfl,i^®"); for some 
V ^'Hx®'Hb® T-Cr, then 

-i/^i,(X'=+"|B^-+"),.+„ > SiaxB) - SiaB) - S , 
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where ctxb ■= tr , 

S :^ 5(ln(dimHx) + l)^'-^ + h{^) , 

and h{p) = —plnp — (1 — p) ln(l — p). 

Note that the statement depends on the dimension of 
Hx, but is independent of the dimension of Tis. 

IV. IMPLICATIONS 
A. Putting things together 

The aim of this section is to demonstrate how the tech- 
nical statements of Section IIIII can be combined to give 
our main claim, namely that any permutation invariant 
state on J-C^^ is approximated by a mixture of states 
with almost i.i.d. structure, provided the outcomes of cer- 
tain measurements on a (small) sample of the subsystems 
lie in a given range. To illustrate this, we assume for con- 
creteness that H — L^(]R) and that measurements on k 
subsystems are carried out with respect to two canoni- 
cal observables X and Y, each chosen with probability 
i. (According to Remark IlII. 41 the argument below can 
easily be extended to more general measurements.) Fur- 
thermore, we assume that N = and k = m^, for some 
m G N. 

Let d = mi and let H be the support of pX'+Y'<"o 
for some no € N such that 121n(7m) < no < d. We first 
apply Lemma lilI.3l to infer that, if all k measurement out- 
comes . . . , Zfc satisfy zf < ^ then the state p('"~i)'= 
on the remaining (m— l)k subsystems is almost certainly 
contained in the support of P!f^^rl-%k- Hence, according 
to Lemma IIIL5| there exists a purification p^™"^'*^ of 
p(m-i)k Sym("-i)'=(H(^H,(H®H)®^'""^^''). The- 
orem IIIL7I now provides an approximation of the re- 
duced state in terms of a mixture of almost 
i.i.d. states pi™"^^*^, parametrized hy v & H (^H. More 
precisely, each density operator pi.™ ^■''^ is contained in 
Sym("^^)''(7^ (g) H, :/»(("-9)'=), and their convex combi- 
nation is exponentially (in to) close to p(™^^)'^. In par- 
ticular, by taking the trace over the purifying systems, 
we conclude that the reduced state p(i^^)^ is approxi- 
mated by a mixture of states that have i.i.d. structure 
on (1 — /I — ^J,')N subsystems, where p, = 57V ~ 4 and 

p' = m-i. 

B. Application to QKD 

A main application of de Finetti's representation theo- 
rem is in the area of quantum information theory. As ex- 
plained in the introduction, the theorem can be employed 
for the analysis of schemes involving a large number of 
information carriers, whose joint state may be difficult 
to describe in general. A typical and practically relevant 



example is QKD, where the challenge is to find security 
proofs that take into account all possible attacks of an 
adversary. 

Most QKD protocols can be subdivided into two parts. 
In the first part, also known as distribution phase, the two 
legitimate parties, Alice and Bob, use an (insecure) quan- 
tum communication channel in order to distribute corre- 
lated information. (Alternatively, in an entanglement- 
based scheme [6|, Alice and Bob receive this correlated 
information as an input from an external source, which 
may be controlled by an adversary.) In the second part, 
the distillation phase, Alice and Bob process this informa- 
tion to extract a pair of secret keys. This process usually 
only involves classical communication (over an authentic 
channel) . 

The analysis based on de Finetti's theorem sketched 
below applies to a large class of QKD schemes, which in- 
cludes almost all protocols proposed in the literature [s^ . 
More concretely, the following conditions must hold. 

1. We assume that the information held by Alice 
and Bob after the distribution phase consists of N 
parts, for some sufficiently large N. The proto- 
col should be invariant under permutations of these 
parts. This requirement is usually satisfied because 
each of the N signals is prepared, sent, and received 
independently of the other signals. 

2. In the last step of the distillation phase, the final 
key is computed in a classical post-processing pro- 
cedure consisting of information reconciliation (er- 
ror correction) and privacy amplification by two- 
universal hashing [27]. As yet, no alternative 
method for distilling the final key is known, so this 
criterion is not restrictive [i^l . 

3. The protocol must perform a measurement A4 = 
{Mz}z£Z on a sample of the received signals and 
only continue if all outcomes z are contained in a 
given set Z C Z that allows to conclude that the 
dimension of the relevant Hilbert space Ti. is finite 
(cf . Remark IIIL4I) . Note that this requirement is 
trivial if the signal space already has small dimen- 
sion. 

A concrete example in H — L^(E) are measure- 
ments A4 with respect to two canonical observ- 
ables X and Y, each of them chosen with prob- 
ability i. The set Z can then be defined as the 
set of all outcomes z such that z^ < ^ and H is 
the space spanned by the eigenvectors of X^ + Y'^ 
corresponding to eigenvalues larger than no, for 
some appropriately chosen no (see Lemma [lII.2l and 
Lemma IIIL3I) . 

According to Property [H if a key distilled from A'' sig- 
nals in state is secure then the same is true for the key 
distilled from a permuted state np^TT^ for any permuta- 
tion IT G Sn- We can thus assume without loss of gen- 
erality that the N signals are permuted at random and. 
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hence, their state p is permutation invariant. Now, ac- 



cording to the argument in Section FlV Al and using Prop- 
erty [3l we conclude that , for some N' k, N, is ap- 
proximated by a mixture of almost i.i.d. states p^ (see 
previous section for explicit parameters). Finally, we use 
Property[2l which implies that the only relevant quantity 
is the smooth min-entropy [1^ of the measured data 
conditioned on the adversary's information (see Q 
for a detailed argument). By Theorem Illl.Si the smooth 
min-entropy of almost i.i.d. states is ap prox imated by 
the corresponding entropy of i.i.d. states 4l| Hence, we 
can without loss of generality assume that p^ is an i.i.d. 
state, which could equivalently be the result of a collec- 
tive attack. Summarizing, we have thus proved that any 
QKD protocol satisfying the above three conditions is se- 
cure against general attacks whenever it is secure against 
collective attacks. 



CONCLUSIONS 



We have shown that permutation invariant states on 
large iV-partite systems are approximated by a convex 
combination of almost i.i.d. states, provided measure- 
ments on a few subsystems with respect to certain ob- 
servables only give bounded values. In particular, under 
this condition, a permutation invariant state can be con- 
sidered equal to an unknown i.i.d. state, except an arbi- 
trarily small fraction of the subsystems. This has vari- 
ous implications. Of particular interest to experimental 
physics is that state tomography can be employed with- 
out the need for i.i.d. assumptions, as discussed in Q for 
the special case of low-dimensional systems. 

Applied to quantum cryptography, our result enables 
full security proofs for QKD schemes in the (practically 
relevant case) where the dimension of the signal space 
may be unbounded. This is an intrinsic property of con- 
tinuous variable protocols, but the necessity of taking 
into account infinite-dimensional systems may also arise 
in the analysis of discrete variable schemes, for instance 
when they are implemented using weak coherent pulses 
(see, e.g., [Ill)- The security of these schemes has been 
investigated intensively, but most proofs are only valid 
under the assumption of collective attacks (see Introduc- 
tion for references and [HI). The de Finetti representa- 
tion theorem derived here allows to drop this assumption, 
implying that security holds against all possible attacks. 
The main requirement is that certain tests are carried 
out on a sample of the transmitted signals. For continu- 
ous variable protocols with signal states on 7i = L^(]R), 
one possibility is to check that measurements with re- 
spect to two canonical observables only result in small 
outcomes. By modifying Lemma IIII.21 one may replace 
this requirement by a criterion based on alternative mea- 
surable quantities such as the photon number [29j . 
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APPENDIX A: PROOF OF LEMMA [ITLTI 

The proof is based on the following lemma, which 
states that the statistics obtained from the observation 
of k out of k + n binary values Xi , X2 , ■ ■ ■ , Xk+n gives a 
good estimate for the probability distribution of any of 
the remaining values, provided the overall distribution is 
permutation invariant. 

Lemma A.l. Let n> k and let Pxi,...,Xk+„ be a permu- 
tation invariant probability distribution over {0,1}*^+". 
Then 



Pr[b|x,......x.-/x,...xJ>5] <2kh 



-kS^ 



where, for any x = {xi, . . . ,Xk), P\x denotes the proba- 
bility that Xk+i = 1 conditioned on [Xi, . . . , ATfe) = x. 

Proof. Let X = (Xl, . . . , Xfe). We show that 

E[e'=(P|x-/x)^] < 2fci , (Al) 

where E[-] denotes the expectation value. The claim then 
follows because, by Markov's inequality, 

Pr[b|x - /xl >5\= Pr[e'=(''i--^-)' > e'=*'] 



To show (jAip we use the observation that, for any per- 
mutation invariant distribution Pz^ - Zk of binary values, 
the distribution of any individual value Zi equals the ex- 
pectation of the frequency distribution of the whole tuple 
(Zi, . . . , Zfe), i.e., 

Pr[Z, = 1] = E[/z,...zJ . 
In particular, we have for any x = (xi, . . . , x^), 

P|x = E[/x,+i...X2jX = x] . 
Using convexity of the function a; s- , we get 

gMPlx-/.)' = gfeE[/x,+,...X2,-/x|X=x] = 

< ^[e^'^f>^k+i -^2k~M^\-y;^ = x] 

and, hence, 

E[e*'(P|x-/x)'] < E[e''^-'''^'=+i- -^2fc-/x)'] ^ 

It thus remains to be shown that 

E[e'=(-''^-^-+i-^2'=~^^i-^'=)'] <2ki . (A2) 
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for any permutation invariant distribution Pxi - X2k- 

Because any permutation invariant distribution can be 
written as a convex combination of permutation invariant 
distributions with fixed frequency distribution, we can 
without loss of generality assume that fxi---X2k — §k 
holds with certainty for any fixed re {0, . . . , 2k}. The 
expectation value on the left hand side of (|A2p is then 
given explicitly as 



E[, 



Mfx 



min(r.fc) 

E 

s— max(0,r — A;) 



Oils 
(2k\ 



Mi- 



min(r,fc) 

E ^ 

s— max(0,r — A;) 



where 



1 n 
_ln — illA. 



(A3) 



(A4) 



To bound the term rk,r,s we use an approximation of 
the binomial coefficient by Wozencraft and Reiffen [3l| 
(see also Lemma 17.5.1 of [3^ ) 



.Nh(p) 



< 



( ^ 



^Nh{p) 



< 



where h{p) = —plnp — (1 — p)ln(l — p) is the binary 
entropy function (written with respect to the basis e) 
and where g{p) = p{l — p). The approximation holds for 
any iV e N and < p < 1 such that pN € N. Because 
g{p) J for any p, the first inequality implies 



N 
pN 



> 



^Nh{p) 

\/2N 



Furthermore, since g{p) > for any iV > 1 and < 
p < 1 — , the second inequality implies the well known 
upper bound 



\pN 



which also holds for iV = 1, p = 0, and p = 1. Inserting 
these bounds into (IA4D. we find 



rk,r.s>2hi^)~h{^)-hC— 



^ln(4fc) 



(A5) 



Using some standard analysis, one finds that 
2h{^±^)-h{a)-h{P)>{a-(3f 

for any a,/3 G [0,1]. Combining this with (IA5|) and 
inserting in (lASp yields (|A2p and thus concludes the 
proof. □ 



The following lemma is an immediate corollary of 
Lemma lA.l) applied to the sequence of values obtained 
from measurements of a permutation invariant state. 

Lemma A. 2. Let n > k, let U = {Uo,Ui} be a binary 
POVM on n, let G 5(7i®'=+") be permutation in- 

variant, and let {Xi, . . . , Xk) be the outcome of the mea- 
surement U'^'' applied to the first k subsystems of p^'^'^ . 
Then 

Pr[|tr(C/ipi^^...^J - > ^] < 2A:ie-^^' , 

where, for any x = (xi, . . . ,Xk), /O^^ reduced state 

on a single subsystem conditioned on the measurement 
outcome (A"i, . . . , Xk) = x. 

We are now ready to prove Lemma IIII.ll 



Proof of Lemma\nr^ Let X''^ (ATi, . . . , ATfe) and 

X"/2 {Xk+i,...,Xk+n/2) (where, for si mplic ity, we 
assume that n is even). Applying Lemma IA.2I to the 
density operator p|X"/2 describing the state conditioned 
on the outcomes of measurement V®"/^ applied to n/2 
subsystems of p'^^", we get 



Pr[|tr(C/ip[x.x"/0 ~fx^\>S]< 2k-- e-'^' . (A6) 
Similarly and using n/2> k wc find 

Pr[|tr(yip[x^.X"/^) - /x"/^l >5\< 2kie-^'" . (A7) 
By the definition of the quantity ^Ui-^Vi , we have 

Pr[/x"/2 > lu^^v^ ifx" + S) + 6] 
= PT[[$a : (tr(;7ir7) < /x. + 6) A (triVia) > f^,.,. - 5)] 

< Pr[(tr([/ipix^x"/2) > /x'=+'5)V(tr(-l/ipix^x"/^) < /x-/^ 

< Akh-''^' , 



where the last inequality follows from (jA6P and (|A7P , and 
the union bound. 

To conclude the proof, we use the observation that 



nf Xk + l---Xk-t-n/2 ~^ n fXk + n/2 + l---Xk + n 



which implies 



< PAfx,+i-Xk+„,2 > lUi^vAfyL" +S)+6] 
+ Pi"[/x^,+„/2+i-Xfc+„ > 7c/i^yi(/xfc + S) + S] 



< skh-''^" 



□ 
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